Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Configuration
  • S3 Bucket - Best Practice
  • Launch an EC2 Instance
  1. Cloud Security

AWS

In love w CloudSec

Configuration

  • Create a Root and IAM user

  • IAM user must have a custom password set along with Secret Key and an Access ID generated

  • Under IAM create a normal user assigned with AdministratorAccess and a misconfigured S3 bucket having public access over it's objects

  • Meanwhile access the aws-console via awscli

$ aws configure --profile demo-user
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
....
  • Now the keys will be stored under .aws/credentials - To confirm we can query

$ aws iam get-user --profile demo-user
{
    "User": {
        "Path": "/",
        "UserName": "demo-user",
        "UserId": "*******************",
        "Arn": "arn:aws:iam::***********:user/demo-user",
        "CreateDate": "2023-09-18T09:07:45+00:00",
        "PasswordLastUsed": "2023-09-18T09:08:21+00:00"
    }
}
  • We can now interact with the misconfigured S3 bucket

$ aws s3 ls --profile demo-user        // To list the buckets
2023-09-18 14:41:53 securebucketnxg

$ aws s3 ls s3://securebucketnxg --profile demo-user    // List the objs inside the public bucket
2023-09-18 14:42:37     242687 IoT.pdf

$ aws s3 sync s3://securebucketnxg output_dir --profile demo-user     // Download objs 

So far we've tested or dumped the contents within the IAM user and buckets, what if an unknown user finds a bucket name ? How would he approach it ?

  • You guessed it, it's actually the same way and he would get the objects within the bucket if its publicly exposed

S3 Bucket - Best Practice

  • Navigate to Amazon S3 > Buckets > securebucketnxg > IoT.pdf > Edit access control list

After unchecking

  • Everyone

  • Anyone with AWS account

No unknown user can list the objects within the S3 bucket - Best Practice !

$ aws s3 ls s3://securebucketnxg --profile different_user
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Launch an EC2 Instance

  • Search for EC2

  • Generate a Key-Pair - can be accessed via ssh or putty

  • Launch a simple instance with the default inbound rules (as of now)

$ chmod 400 cashserver.pem
$ ssh -i "cashserver.pem" ec2-user@ec2-13-x-38-x.eu-north-1.compute.amazonaws.com
PreviousNgnix DeploymentNextCloud Breach S3

Last updated 1 year ago

☁️
LogoZomato disclosed on HackerOne: Amazon S3 bucket misconfiguration...HackerOne